Slyberoam
6216-157828 This page attempts to conform to the W3C XHTML1.0 specification and uses stylesheets extensively. Read why.
© 2003 Rahul Mittal. All rights reserved.
Home
About Me
Blog
Astronomy
Software
Holography
Bagel
Made4me
Hebron Weblink
Miscellaneous
Contact
Manage

Updated 12.May.2003

[Click here to skip ahead to the downloads section.]

News

12.May.2003 - Released Slyberoam 0.4.0.0. Slyberoam now promptly resumes any disconnections and is able to automatically detect the protocol version used by your ISP's network. Other enhancements include a even more simplified installation process, and better logging.

20.Apr.2003 - Released Slyberoam 0.2 Build 1205. Some parts of the previously long and tedious installation process have been simplified and automated. This release should also fix any installation issues on Win95/98/NT. The configuration tool has also been made more robust.

18.Apr.2003 - Released Slyberoam 0.2. Read through the rather long installation instructions, and let me know if you have any troubles. This release partially fixes the problems with IP header mangling.

14.Apr.2003 - I have been working with Mayur Naik and Ashish Kulkarni to determine how the Cyberoam protocol actually determines which packets passing through its gateway originate from PC's that have the clients installed. It turns out, as Ashish discovered, that bit 6 (and sometimes 7) of the TOS (Type of Service) octet of each outgoing IP datagram is set to 1 by the Elitecore Network Organizer (enonotify.dll and eno2000.sys). This serves as a flag for the 24Online gateway.

09.Apr.2003 - Security Alert. I should have issued this warning much sooner, but I strongly advise all users of 24Online software to inspect the installation folder for this software. By default this is C:\Program Files\In2Cable. If you find two files in there called "Restart2.exe" and "RestartMessage.exe", you might want to move or rename those files so that they aren't accessible to the 24Online software. I suspect that those files merely restart the 24Online client, but I have yet to determine in what circumstances those files may be executed. I would urge everyone to be on the safer side in case those files have the ability to reboot your system.

Introduction

This page is dedicated towards evaluating privacy and security issues in the Cyberoam protocol used by 24Online servers. This protocol was developed by Elitecore Technologies in their attempt to create some sort of employee management software. It has since been adapted for bandwidth and subscriber management by Internet Service Providers (ISP's). In terms of manageability, Elitecore has an excellent product and to that end they have done an excellent job. But this is has come at the cost of security, as I have explained further below.

In order to study these issues, I have built a client called Slyberoam which can talk to a 24Online server using the Cyberoam protocol.

Motivation

The motivation for this project originally began by the imposition of this bandwidth and subscriber management software on me by my ISP, In2Cable (India) Ltd. I perceive this imposition as a threat to my individual privacy. The ISP now not only sells me a cable modem based internet service, but also controls every interaction I undergo on the internet.

Some people feel I might be paranoid, but I view this scenario as similar, if not identical, to purchasing petrol at a petrol bunk. If I buy 20 litres of petrol for my car, the filling station has no right to be concerned about what I do or where I go with that 20 litres. They may wish to inquire about what I intend to do with the petrol, and refuse me that petrol even if I am willing to pay the price they demand for it. But once they sell the petrol to me, they have no right to set up private detectives to chase me around and report on how I use it up.

Similarly, I buy bandwidth from my ISP. They have no right to demand that I register with them every time I need to browse the internet. Their job is selling bandwidth, not policing it, just like a filling station sells petrol. What's worse is that a portion of my monthly subscription fee goes towards this policing. This means that I am paying for the cable modem company to invade my privacy.

Unfortunately I currently have no other reasonable alternatives. Bangalore is developing fast, but there is still a severe lack of ISP options available to the citizens. Further, very few citizens understand the privacy laws of the Government of India thoroughly. Hopefully this situation will improve with time.

Goals

My primary goal with Slyberoam is to be able to decipher the Cyberoam protocol. With this I will be able to evaluate what sort of information is being collected from me by Cyberoam, and take appropriate countermeasures if necessary. I have already successfully reverse engineered most, if not all, of the protocol. However certain functions remain to be observed and analyzed. I have already identified and removed certain extremely dangerous components that were installed by the setup program. These include files called "Restart2.exe" and "RestartMessage.exe" -- does anyone smell "Trojan"?

In addition to the potential trojan programs above, there is one other aspect of the installed client that I am very concerned about. This is the two files enonotify.dll and eno2000.sys installed as network services by the name of "Elitecore Network Organizer". I have no idea what they do, but basically I cannot connect to the internet if this file isn't installed. I cannot detect any packets or communication arising from this service, but it sits there eating up memory and precious CPU cycles. Determining the purpose of this file and neutralizing it or replacing it is currently the top priority for me as I work on the Slyberoam project.

Scenarios

It is easy to imagine hazardous scenarios for all of my ISP's customers. For example, someone in the intranet may discover the messages required to initiate the "Restart2.exe" program, and then, after using MAC address cloning to hide his/her identity, cause all computers in the ISP's intranet to reboot. Additionally, with our latest findings, it is possible for anybody in the network to identify which other computer has which version of the 24Online software installed, and for them to then direct their attacks accordingly.

How To Participate

Are you:

  • similarly concerned about your online privacy on Cyberoam/24Online networks?
  • interested in contributing to the study of the Cyberoam/24Online protocol?
  • developing your own client for Cyberoam/24Online?

If yes, I urge you to join the linc-devel or linc-user mailing lists. These lists are the preferred and most popular Cyberoam/24Online related discussion media that I know of.

Downloads

In the document below I attempt to present information on what is known about the protocol thus far. The protocol described in the document is the one used by my Client (version 1.3). I am not sure what the official version number is.

[Cyberoam Protocol description]
[Slyberoam Software]

Related Links

I am not the first to attempt to decode the Cyberoam protocol. Listed below are other attempts to decode this protocol that I am aware of:

  1. Amish Mehta's Cyberoam Authentication Client.
  2. Mayur Naik's linc - now implements the password encryption algorithm which I reverse engineered. This is the recommended 24Online client application for *nix platforms.

Disclaimer: This document is a work in progress. It comes with no warranty or promise whatsoever. Use the document at your own risk. Interfering with networks owned and maintained by other people can potentially make you liable for any damages or breaches of security. The author is in no way responsible for any action taken by anybody as a result of the information contained within this document. The author affirms that no legal rules were broken in deciphering this protocol, and no Cyberoam servers suffered any attack or damage of any form as a result of my investigation.

If you have any information to contribute regarding this protocol, please contact me.